red-beard has asked for the wisdom of the Perl Monks concerning the following question:
Sample of logs: Aug 26 15:58:45 ns2b sendmail28597: i7QJwbXt028597: from=<rina@willmar.com>, size=17997, class=0, nrcpts=1, msgid=<x876126527.8746421781795333059@caelglobq>, proto=SMTP, daemon=MTA, relay=64-61-202-31.ips.cpinternet.com 64.61.202.31 Aug 26 15:58:45 ns2b clamav-milter11335: i7QJwbXt028597: stream: Worm.Zafi.B Intercepted virus from <rina@willmar.com> to <ostov@hillsboroughcounty.org>#!/usr/bin/perl + + # Populate a complex data structure with message id's, ip address's, a +nd virus names. This is necesary since the ip address and virus name +are on separate lines but have the same message id. # Count the number of times a virus was sent in descending order # Count the number of times an IP address sent a virus in descending o +rder # Show each unique virus that was sent for each IP address. + + + + + use warnings; use diagnostics; use strict; + + my $email; my $ip_addr; my %ip_addr; my $virus; my %virus; my $Virus; my $sender; my $Sender; my $recipient; my $Recipient; my $message_id; + + print "Shows a count of each virus type:\n"; + + open(FILE, "/var/log/maillog"); while(<FILE>) { + + if (/(?:\d|\D)+sendmail\[(?:\d)+\]:\s((?:\w)+):(?:\d|\D)+\[(\d+\.\d+\. +\d+\.\d+)\]/) { $message_id = $1; $ip_addr = $2; unless ( $ip_addr eq "127.0.0.1" ) { $email->{$message_id}{ip_addr} = $ip_addr; + + } } elsif (/(?:\d|\D)+clamav-milter\[(?:\d)+\]:\s((?:\w)+):\sstrea +m:\s(\d|\D+)\svirus from \<((?:\d|\D)+)\> to \<((?:\d|\D)+)\>/) { $message_id = $1; $virus = $2; $sender = $3; $recipient = $4; + + $email->{$message_id}{virus} = $virus; $email->{$message_id}{sender} = $sender; $email->{$message_id}{recipient} = $recipient; + + } } close(FILE); + + foreach $message_id ( keys %{ $email } ) { if ( $email->{$message_id}{virus} ) { $virus = $email->{$message_id}{virus}; $ip_addr = $email->{$message_id}{ip_addr}; $recipient = $email->{$message_id}{recipient}; $sender = $email->{$message_id}{sender}; #Counts total number of times a virus was sent $ip_addr{$virus}++; #Counts total number of virus's sent by IP address $virus{$ip_addr}++; #Counts total number of unique virus's per IP address $email->{$ip_addr}->{virus}{$virus}++; #Counts total number of unique senders per IP address $email->{$ip_addr}->{sender}{$sender}++; } } + + sub hashValueDescendingVirus { $email->{$ip_addr}{virus}{$b} <=> $email->{$ip_addr}{virus}{$a}; } + + sub hashValueDescendingRecipient { $email->{$ip_addr}{recipient}{$b} <=> $email->{$ip_addr}{recipient} +{$a}; } + + sub hashValueDescendingSender { $email->{$ip_addr}{sender}{$b} <=> $email->{$ip_addr}{sender}{$a}; } + + sub hashValueDescendingNum { $ip_addr{$b} <=> $ip_addr{$a}; } + + sub hashValueDescendingIp { $virus{$b} <=> $virus{$a}; } + + foreach $virus (sort hashValueDescendingNum (keys(%ip_addr))) { print "Count is $ip_addr{$virus} for $virus\n"; } + + print "\nShows uniques hosts with a virus count over 10:\n"; + + foreach $ip_addr (sort hashValueDescendingIp (keys(%virus))) { if ($virus{"$ip_addr"} >= "10") { + + print "\n$ip_addr sent the following virus's a total o +f $virus{$ip_addr} times: \n"; foreach $Virus (sort hashValueDescendingVirus (keys( % +{ $email->{$ip_addr}{virus} } ))) { print "$Virus was transmitted $email->{$ip_add +r}{virus}{$Virus} times.\n"; } print "\n"; + + if ($ip_addr eq "207.156.7.1") { foreach $Sender (sort hashValueDescendingSende +r (keys( %{ $email->{$ip_addr}{sender} } ))) { print "Possibly spoofed address $Sende +r was seen $email->{$ip_addr}{sender}{$Sender} times.\n"; } } } }
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Errors with sorting hashs
by dragonchild (Archbishop) on Aug 27, 2004 at 13:33 UTC | |
by red-beard (Scribe) on Aug 27, 2004 at 14:02 UTC | |
by dragonchild (Archbishop) on Aug 27, 2004 at 14:15 UTC | |
by red-beard (Scribe) on Aug 27, 2004 at 18:17 UTC | |
by red-beard (Scribe) on Aug 27, 2004 at 14:23 UTC | |
by red-beard (Scribe) on Aug 27, 2004 at 14:31 UTC |